Modsecurity 2.5.7 for Apache was released today, and its another maintenance release. The last update we saw for Modsecurity was back in July which was also a maintenance release. Check out the 8 issues that have been fixed and the one that will never be fixed but has been “resolved” in the changelog: https://www.modsecurity.org/tracker/browse/MODSEC/fixforversion/10011
Thanks http://www.modsecurity.org/ guys!
Add comment September 30th, 2008
In this article posted at information week the author writes that
“Some of the largest ISPs in the United States have vowed not to monitor Internet users’ activities without permission.”
Verizon, AT&T and Time Warner may have said this which is good, but Google on the other hand
“Google (NSDQ: GOOG) has also indicated a willingness to allow consumers the choice to opt out of data collection.”
There is a big difference with letting people opt out of a service, and opt into a service. I guess the main thing is, nobody is going to OPT in for this, at least without incentives. But when you sign a contract with your ISP, this in effect would release them, giving your permission for them to monitor your activities. This isn’t a problem if it is easy to opt out, but the problem is many people do not even read contracts.
It brings up many questions, and the what they could do with this mined data just blows my mind.
What parts of the internet service would this affect? E-Mail, HTTP, HTTPS? How about other protocol usage such as bit torrent or FTP?
Powerhouses like Time Warner, Charter and Comcast could use this to tie in with other services such as television.
“Congress has been examining the issue and most ISPs prefer industry-wide standards over increased federal privacy laws. Several ISPs are working together to adopt self-regulatory guidelines. Although not all of those involved in drafting the guidelines have come forward, those who have said they hope to produce a code of conduct by next year.”
I don’t think that a code of conduct is not enough.
I have an opinion of another quote from the article:
“To put it simply, Deep Packet Inspection is the Internet equivalent of the postal service reading your mail,” she said. “They might be reading your mail for any number of reasons, but the fact remains that your mail is being read by the people whose job it is to deliver it.”
My opinion is that DPI is not the internet equivalent of the postal service reading your mail, it’s much worse. Imagine the post office reading and processing your mail. Correlating you and other consumers together into targeted marketing types. Breaching your privacy for use of financial gain. This would never have flown back in the good ole days so why is it ethical to do this now?
This is the first step, the next is wiretaps to phone providers to “monitor your activities for market research”
Article Here:
http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=210604259&cid=RSSfeed_IWK_ALL
Add comment September 29th, 2008
A look back in history today as we enter the world of old exploits. I was rummaging around Google when I found this rather long list of exploits http://www.hoobie.net/security/exploits/index.html from back in the day. It appears that some of the files I was interested in 404 but some of them still have text files. It is a great read for any one interested, a lot of different types of exploits, some that are still common. You will find no SQL injections or PHP Code injection in this list and certainly no cross site scripting. I don’t know how long the site is going to be up, so I may download the files for reference, but my guess is that if its been up since 2002 (last page updated) then its probably going to be up for a while longer.
Add comment September 22nd, 2008
Every one has heard about Palin’s email getting hacked. Well, whats all over the news right now is who the script kiddie might be. Turns out that the handle of the poster has been linked to the 20-year-old son of Tennessee Democrat Mike Kernell. How interesting. Now, this is all speculation but if it was him I wonder if he used his scriptoicious leetness was used to “do something awesome” or whether it was instigated. What I do want to see is justice, if the claims are true: he hacked an e-mail account for malicious intent, published private content of another individual and generally caused mischief. I mean, think of the man hours that were lost because of people looking at wikileaks.org. What a hit to the economy.
I was watching the seclists.org mailing list while this was going on and thought it was funny that they were dissecting it before the proxy owner even said they were going to cooperate.
Now, even though David Kernell may have “hacked” yahoo’s password reset feature, do you really think that it was a hack? I mean, kids in high school and college do this all the time to their friends. I bet her password recovery question was easily guessable.
What I find really funny about this got caught, this is funny because if it was him he may have jeopardized his future, and perhaps the reputation of his father. If he did to it he and his father should be further investigated to make sure that David did this of his own will. All computer equipment should be seized and logs collected.
If David Kernell Didn’t do it you have to give credit to who ever pulled this off. I mean, if they never get caught and this was their plan then bravo. bravo. Use a script kiddie technique to obtain your information, post it under some one else’s name and then divert attention to the media blaming some one else. If the proxy had been gamed then that adds even more points.
Here is more information from seclists on the case:
On Wed, Sep 17, 2008 at 2:30 PM, Dave Korn
> Dave Aitel wrote on 17 September 2008 18:44:
>
>> http://wikileaks.org/wiki/Sarah_Palin_Yahoo_inbox_2008
>
> >From that page:
>
> “Nb. The ‘ctunnel.com’ reference in the browser screen shots is to a proxy
> service used to prevent the activists from being traced.”
[snip]
> So let me see if I’ve guessed this right: it’s a proxy that rewrites all
> your URLs in rot-13? And this is supposed to “protect your anonymity”?
>
> Those activists are screwed. They better get out of the country PDQ.
> Pardon me, but I’ll be sticking with proper mix chains for now.
Well this was predictable[1]:
“A Tennessee state legislator has confirmed that his son, a
20-year-old student at the University of Tennessee-Knoxville, is the
person being named on blogs and message boards in connection with the
hacking of Alaska Gov. Sarah Palin’s e-mail account, a Nashville paper
reported late yesterday.”
“State Rep. Mike Kernell told the Tennessean that his son, David
Kernell, is at the center of speculation about the identity of the
hacker who gained access to Palin’s account.”
“On Wednesday, someone identified only as “rubico” posted a
message to 4chan.org’s popular /b/ board claiming to have gained
access to Palin’s e-mail by using Yahoo’s password reset feature.
Although the post was deleted from 4chan.org, a copy was sent to
conservative syndicated columnist Michelle Malkin, who published it on
her blog Wednesday.”
But it gets better: why worry about the suitability of ROT-13 when you
have logs? I believe the term is “LULZ!”:
“Gabriel Ramuglia, the webmaster of an Athens, Ga.-based proxy
service, may be able to shed light on the identity of the hacker as
early as today. On Thursday, Ramuglia said that the FBI had contacted
both him and Yahoo the day before, asking for server logs to determine
who had accessed Palin’s account.
“Ramuglia operates Ctunnel, an ad-supported proxy service targeted
primarily at users in schools or businesses who want to access sites
that are normally blocked by network administrators. Screenshots of
several messages from Palin’s account showed that the hacker had used
Ramuglia’s proxy service in an attempt to hide his or her tracks.”
“He was also confident he would be able to pinpoint the person who
used his proxy service to access Palin’s account. “I should be able to
track it down to their original ISP, and then the IP address of the
person who did it,” Ramuglia said. “Who did this abused my service and
broke the law.”"
Add comment September 19th, 2008
http://www.securityfocus.com/bid/31212/info
My Favorite Vulnerability from this week is the Apple QuickTime/iTunes QuickTime Type Remote Buffer Overflow found by securfrog. This vulnerability has concept Perl code which can cause a remote crash on firefox, IE or any browser using the Quicktime plugin. No shell code execution has been confirmed yet. I wonder when Apple is going to patch this one.
Add comment September 19th, 2008
The internet is so much a part of life and business these days that desktop applications are still a target. It is easy for a malicious user to exploit a desktop application via social engineering, man in the middle attacks, phishing and other means. In my opinion graphic designers are a good target for those with ill intent to target. Think about it, while most of their work relies on using a computer, they may not have the technical skills to understand the dangers of opening strange files, or visiting URL’s. Graphic designers often also work on new products for companies, therefor have inside information on a product as they are designing identities and media. Here is an vulnerability targeting the popular Adobe Illustrator. What irritates me about such products is the end user must rely on the Vendor for a patch. In this case CS2 has been replaced with CS3. Adobe products also have a tendency to be expensive, so it is unlikely that every graphic designer will update.
http://www.securityfocus.com/bid/31208/info
Adobe Illustrator is prone to a remote code-execution vulnerability. An attacker can exploit this issue by enticing an unsuspecting victim to open a malicious AI file. Successfully exploiting this issue will allow attackers to execute arbitrary code with the privileges of the user running the affected application. This issue affects only Adobe Illustrator CS2 for Macintosh.
Add comment September 18th, 2008
In the world of security a lot can happen in three days. Lets take the popular web content management system Drupal. Over the past three days both Secunia and Security Focus have published a total of five Drupal vulnerabilities. Although These advisories have all been patched in the latest release of Drupal, many companies and organizations on the web rely on Drupal to handle their day to day business, but how many of them keep their installation up to date? Cross Site Scripting or HTML Injection, SQL Injection and security bypasses are just the attack vectors targeted in these five Drupal vulnerabilities.
Drupal XSS / HTML Injection
http://www.securityfocus.com/bid/31146
http://www.securityfocus.com/bid/31224
Drupal Script Insertiaion
http://secunia.com/Advisories/31889/
Drupal SQL Injection
http://secunia.com/Advisories/31877/
Drupal Talk Module Script Insertion and Security Bypass
http://secunia.com/Advisories/31908/
Add comment September 18th, 2008
According to a post from Out-Law.com The US court rules an employee has no privacy on company computers.
Basically the man was convicted of stealing $650,000 from his employer while working as a book keeper. The story notes his desktop and laptop were searched without warrants, and there was confusion that the laptop was his personal property and that he abandoned the laptop. The court relied on a previous case whose ruling said that someone who abandons property no longer has an expectation of privacy in relation to it.
But what about the personal property? The man claimed that he paid for the laptop himself but is some one that has stolen money from a company (especially $650,000) really entitled to say that they paid $500 for a laptop from that very company? To add more confusion it turns out that the laptop was paid for once on a company card also. This is some shady accounting going on, and the man probably was guilty. As for privacy at work, he wasn’t really at work when the searches were done. Do you have a right to privacy after you leave? What if you format your hard drive.. you could serve some time for a sabotage. This is exactly why companies should have clear privacy policies and computer usage policies governing the use of computers, data and communications. If the company needs information off of their own property, they should be entitled to that information, but what came first the chicken or the egg?
Add comment September 16th, 2008
I’ve been subscribed to the IDG Connect mailing list for a while now, while I don’t read all of the content they sent me this one caught my attention. I’m not going to be viewing this web cast since I have prior arrangements, but any one else is welcome to sign up for it. If your looking for a web application security primer this might be a good one. I’ll check it out once its finished if they put it online. It starts at 1PM EDT so, you’ve got about an hour and 10 minutes.
In the movies, getting past high-tech security is no joke. Like that scene in Minority Report when Tom Cruise has trouble hanging onto the squishy eyeball he needs to trick the retinal scanner. Or in Resident Evil, when the infiltration team meets up with those unfriendly lasers… Thankfully, in the real world, we’re not there yet. So it’s probably best to keep your eyes looking inwards, on the network. Learn the vulnerabilities of Web applications and how they put your organization at risk.
For a detailed overview of how you can test for vulnerabilities and the tools you need, register for the complimentary online presentation “Learn how to protect your corporate web application now! Web Application Security: Causes, Discovery and Remediation.”
This presentation, courtesy of eEye Digital Security and IDG Connect, will take place tomorrow, Tuesday, September 16, 2008 at 10:00 AM PDT/ 1:00 PM EDT. Register now, join your colleagues and have your questions answered live by expert presenters, all from the comfort of your PC.
We think you’ll find it both interesting and beneficial.
Best regards,
IDG Connect
Add comment September 16th, 2008
http://secunia.com/Advisories/31884/
http://fd.the-wildcat.de/pma_e36a091q11.php
Proof of concept code has been released for the phpMyAdmin vulnerability and all versions prior to 2.11.9.1 need to be updated. The RC release of 3.0.0 is reportedly vulnerable also. RC2 was released this morning, I can not tell from the “Notes” section if RC2 fixes this problem. http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0
Add comment September 16th, 2008
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « Jan | Oct » | |||||
| 1 | 2 | 3 | 4 | 5 | 6 | 7 |
| 8 | 9 | 10 | 11 | 12 | 13 | 14 |
| 15 | 16 | 17 | 18 | 19 | 20 | 21 |
| 22 | 23 | 24 | 25 | 26 | 27 | 28 |
| 29 | 30 | |||||